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Transparent Access Authentication for IMS in ZG and 2.5© 
Mobile Access Networks 


in standardisation of UMTS Rel.5 comprehensive means are 
foreseen to perform authentication on the application layer 
with no need to interwork with the underlying radio and 
transport networks. The mechanisms are based on the 
assumption that a specific environment is prepared for 
deployment of IMS. it includes the use of ISIM application, 
which in turn requires Rel.99UICC's in the connected end 
devices to handle the aka. 

In case of deployment of IMS and IMS based services in a 
network environment which is characterised -by the use of SIM 
cards , the standardised authentication mechanism will not be 


The present paper describes a method for application layer 
authentication of subscribers, connected to the 
authenticating network domain by a 2G or 2.5G GPRS core 
network or a 3G UMTS network. The authentication will be 
based on data which is assembled by the network layer during 
establishment of a PDP context in GPRS networks. This 
information is secured by standard SIM card application. As 
25 the same mechanisms are used for authentication in 3G 
networks, the further described mechanism would also be 
applicable there. No standard would be touched in any way 
while using a 2G or 2-5G access network, because no 
authentication on application layer is foreseen in the 
standard. For UMTS Rel.5 standards and following, the 
standard foresees specific methods ..• The use of the further 
described method would be possible, although the standardised 

4 

on mechanism needs to be switched off. Switching 
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off the standardised, authentication mechanism could be 
interpreted as standard sensitive, but subsequent use of the 
further described mechanism would be standard compliant 
again. 

Finally a migration path to UMTS Rel.5 standardised 
authentication and the concept for parallel use of bot 
mechanisms will be described. 


10 


During PDP context establishment the SGSN is authenticating 
the subscriber using the A3/A8 algorithm based on the end 
devices SIM card in case of GSM and 2.5G GPRS and EDGE access 
network. In 3G networks authentication is done based on 


15 

The GGSN receives a context creation request and queries a 
Radius server to get an IP address assigned for the 
particular PDP context. Within the context the Radius server 
receives the MSISDN and/ or the IMSI of the subscriber. So in 

20 the database of the Radius server we find for each PDP 

context a pair of IP address and IMSI/MSISDN. Based on the 
TEID the GGSN filters all packets running through the PDP 
context once established, for the correct TP source address. 
This means the GGSN checks matching TEID/IP address pairs, 

25 thus preventing falsification of source addresses and so 

called "IP spoofing" for the complete lifecycle of the PDP 
context . 

In the application domain a database exists that stores all 
PublD's the subscriber is using in the domain, referring it 
30 to his PriviD, which is unique in the respective application 
. domain. The PriviD is correlated with an MSISDN and/ or IMSI. 
In the request the user gives his PriviD for registration. 
Upon receiving the registration request, the registration 
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proxy queries the database containing the subscribers ID'S 
(both public and private) together with the MSISDN/IMSI. This 
data is stored in a table on the proxy platform. 
Subsequently the proxy queries the database of the Radius 
5 server in order to get the assigned IP address of that 

session and the IMS I/MS.ISDN already authenticated by the- HLR. 
The authentication of the HLR guarantees further that the IP 
address can be considered to be authenticated as well. Also 
this information is stored in the table on the proxy 
10 platform. 


Now the proxy starts the authentication procedure. 

« 

First it checks IMSI/MSISDN from Radius server database and 
15 application domain database for match. If the pairs are not 
matching the subscriber has tried to register with an 
incorrect PrivID, which is not correlated with his 
IMSI/MSISDN, if the pairs are matching the next step is 
performed. 

20 

Second step is checking the subscribers IP address in the IP 
network layer, meaning in the IP packet overhead field for 
source address for match with the IP address assigned by the 
Radius server. As the IP address was assigned to an 
25 IMSI/MSIsraT-authenticated session, also the IP address can be 
considered as authenticated. 

If the pairs are not matching,- the subscriber used an 
incorrect IP address , if the pairs are matching the 
subsequent step is performed. 

30 

* 

The proxy parses the application layer for IP addresses given 

« 

in the headers of e. g* SIP registration message, SDP message 
bodies, etc and checks for match with the IP address in, 
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which was already checked for match with the IP address 
assigned by the Radius server. If the pairs are not matching 
the subscriber used incorrect signalling inf ormation, e. g. 
response addresses f etc- If the pairs are matching, the 
5 session setup can be considered as authenticated. 

In all subsequent messages arriving at the proxy, it checks 
for match of IP address in the IP packet overhead field for 
source address with that in the application layer protocol 
10 header fields and verifies the matching pairs against the IP 
address assigned by the Radius server. 

If PublD's are used in the following session, the PublD's are 
checked against the PrivID which was stored in a table on the 
proxy platform after querying the application domains 
15 database- 

The described functionality gives the network operator the 
opportunity to run authentication transparently to the end 
device, without requiring proprietary extensions and 
20 functions on network or client side. In case of SIP based 
signalling, the migration to fully standard compliant UMTS 
Rel.5 mechanisms and a strategy for parallel operation is 
necessary, this will be described now. 

25 As the IMS domain as standardised for UMTS Rel.5 will include 
it's own authentication mechanism, it is necessary to support 
a scenario where the subscribers are migrating to ISIM 
enabled end devices , To exploit the benefits of the 
standardised authentication mechanism, both mechanisms have 

30 to be supported in parallel . 

This is done by an additional function that checks each 
incoming signalling message, first for the protocol, if it's 
any other protocol than SIP, the session is routed to the 
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proxy. The same routing decision is taken if the message is 
based on SIP, but the client does not support standardised 
UMTS Rel.5 authentication. If the client does support 
standardised authentication method, e. g. is ISIM enabled, 

5 the message is routed to the standard compliant P-CSCF. First 
trigger for routing decisions is the protocol type, as 
described above. Further triggers could be the key exchange 
mechanism used for setting up the secured connection between 
UE and P-CSCF ( if the end device is starting key agreement, 

10 it can be considered as standard compliant and the request is 
routed to the P-CSCF) , or other elements included in the UMTS 
Rel-5 header as well as any private extension, which is, 
however^ possible but not necessary. If trigger points 
available in signalling should be insufficient, also database 

15 lookups can be used to base routing decisions on. 


20 UICC 


25 


30 
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1. Method for application layer authentication of 

5 subscribers, connected to the authenticating network domain 
by a 2G or 2.5G GPRS core network or a 3G UMTS network, 
characterised by using data which are assembled by the 
network layer during establishment of a PDP context in GPRS 
networks . 

0 

2. System of units in a mobile telecommunication network, 
characterised that at least a first authentication unit is 
connected via a data line to a second unit which assembles 
data according to the method of claim 1. 


